JP2753269B2 - Asymmetric key cryptography - Google Patents

Description

Description: TECHNICAL FIELD The present invention relates to an asymmetric key cryptosystem for encrypting computer messages and the like.

[Conventional technology]

Koyama et al., “Modern Cryptography Theory”, IEICE, (1986) pp. 124-135, pp. 21
7 to 237.

 The outline will be described below.

With the progress of the information society, there is a need for a technology for electronic authentication that guarantees the origin of data and the fact that data is not falsified with respect to communication data and data in files. Digital signatures using public key cryptography
This is one of the promising technologies for performing this electronic authentication. A digital signature satisfies the following three conditions.

(1) The signature cannot be forged by a third party.

(2) The signature cannot be forged by the recipient.

(3) The sender cannot deny the fact that the signature was sent later.

Conventionally, as one of the representative public key cryptosystems, there has been a cryptosystem proposed by Rabin (hereinafter abbreviated as R cryptosystem).

In the R encryption, the secret key S is S = (b, p, q), and the public key K is K = (b, n). Where p and q
Is a prime number, and n = p · q. As with other public key cryptosystems, the R signature uses different keys for digital signatures for data authentication and secret communication for data confidentiality. That is, in the case of a digital signature: The sender uses the secret key S to perform cryptographic conversion C = Sign (S,
M). Here, M is a message. C is a digital signature. The receiver performs the decryption conversion Conf (K, C) using the public key K. Here, the relationship of M = Conf (K, C) is established.

In the case of confidential communication: The communication party uses the public key K to perform the cryptographic conversion C = Enc (K, M)
I do.

The receiver performs the decryption conversion Dec (S, C) using the secret key S. Here, the relationship of M = Dec (S, C) is established.

Here, the description will be made only when the R encryption is used for the digital signature.

The encryption conversion Sign of the R encryption has a partial integer in the range of [0, n-1] in its domain. That is, the sign process can be performed when the following condition is satisfied.

[Theorem] Jacob ((b / 2) ² + M, p) = 1 (1) Jacob ((b / 2) ² + M, q) = 1 ( 2) is satisfied. Where Jacob (a, w) is the Jacobian function, Is defined by

Note that “a” is a quadratic residue of mod w, which means that x ² = a (mod w) has a solution. Generally, this condition is not always satisfied. Therefore, a digital signature cannot be applied to an arbitrary plaintext M (0 ≦ M ≦ n−1) as it is. Therefore, conventionally, the following measures have been taken. That is, first, a certain conversion fj is applied to the plaintext.

Mj = fj (M) j = 0,1,2, ...... However, f ₀ represents the non-conversion. As a specific function of fj, for example, fj (M) = M + j may be used. The steps of the countermeasures are as follows.

First, the sender decides that j = 0 and Mj obtains equations (1) and (2).
Check whether or not. If not, j = j + 1 and it is checked again whether Mj satisfies the condition. According to the theory of number theory, a transformation that satisfies the condition can be obtained with an average of 2.5 checks. Let it be fj *, and let the plaintext after conversion be Z = fj * (M). Next, the signer And sends C and information j * to the recipient. The receiver decodes Z by the decoding conversion Z = Conf (K, C), and further obtains M by applying the inverse function fj * ^-1 of fj * to Z.

[Problems to be solved by the invention]

By the way, the conventional digital signature using the R encryption has the following problems.

(1) Until the digital signature condition is satisfied, an average of 2.5
Times, conversion of fj is necessary. The 2.5 numerical values are average values, and in the worst case, no matter how many times fj is converted, the digital signature condition may not be satisfied. That is, the processing time required to create a digital signature is a probabilistic value, which may cause inconvenience in an actual communication system.

(2) When communicating a digital signature, j * must also be communicated in addition to C, which increases communication time and effort.

(3) In the case of performing a digital signature, in addition to C, j *
Must also be stored, which increases the management effort.

[Means for solving the problem]

The following mathematical properties are used to solve the above problems.

Thus, for p = 7 or 15 (mod 24), Jacob (−1, p) = − 1, Jacob (2, p) = 1 Jacob (3, p) = − 1. Q = 11 (mod 24) Jacob (−1, q) = − 1, Jacob (2, q) = − 1 Jacob (3, q) = 1.

Thereby, a having a value of −1, 2 or 3 can be determined so that Jacob (aM, p) = 1 and Jacob (aM, q) = 1 for an arbitrary message M. That is, the transformation Z = f (M) can be set to Z = aM, and Z becomes a quadratic residue in (mod p) and (mod q).

Focusing on these mathematical properties, the following means are used.

1. In an encryption conversion method of a message using two prime numbers p and q as an encryption key, a message M having a bit length i shorter than a binary bit length k of a product n = p × q of prime numbers is given as input data. When And a symbol indicating a bit sequence obtained by connecting the bit sequence A and the bit sequence M in this order. Is converted to M by selecting an appropriate function g and bit string A using To give And Jacob (Z, p) = 1, Jacob (Z, q) = 1, and the square root of Z modulo the product n of the prime numbers, Is calculated, and C of the calculation result is set as a ciphertext.

2. In a method of encrypting and converting a computer message, two prime numbers p and q satisfying p = 7 or 15 (mod 24) and q = 11 (mod 24) are used as an encryption key, and a product of prime numbers is used. When a message M having a bit length i shorter than a binary bit length k of n = p × q is given as input data, a conversion f is performed on M using a Jacobi function, and Z = f (M), And Jacob (Z, p) = 1, Jacob (Z, q) = 1, and the square root of Z modulo the product n of the prime numbers, Is calculated, and C of the calculation result is set as a ciphertext.

3. In the method of decrypting and converting a computer message, when the ciphertext C described in the means 2 is given as input data, the product n = p × q of the primes p and q is used as a decryption key and Z = C × C (mod n), and M = f ⁻¹ (Z) using the inverse variable f ^{−1 of the} conversion, M is obtained as the original message.

4. In the asymmetric key cryptosystem described in Means 2, the product of the prime numbers n = p ×, where j is an integer between 0 and k-7.
When a message M having a bit length i shorter than the binary bit length k of q by 6 + j bits or more, that is, a length i such that i ≦ k− (6 + j) is given as input data, the fifth + jth and Data obtained by connecting a bit string S consisting of ki bits such that the 6 + j-th bit is “1” and the remainder is “0” to the upper bit side of M is Y, that is, Using the Jacobian function, when Jacob (Y, p) = 1 and Jacob (Y, q) = 1, Z = Y (mod n) Jacob (Y, p) = 1, Jacob (Y, q ) =-1, Z = 2 × Y (mod n) Jacob (Y, p) = − 1, Jacob (Y, q) = 1, Z = 3 × Y (mod n) Jacob (Y, p) = − 1, Jacob (Y, q) = − 1, Z = 1 × Y (mod n), and the square root of Z modulo the prime product n, that is, Is calculated, and C of the calculation result is set as a ciphertext.

5. In the asymmetric key cryptosystem described in Means 3, if the ciphertext C is given as input data, the prime numbers p and q
Using the product n = p × q as the decryption key, Z = C × C (mod
n), B is set as a bit string of length j from j bits '0', and the upper bits of Z are In the case of Y = Z (mod n), the upper bits of Z are In the case of, Y = Z / 2 (mod n), and the upper bits of Z are In the case of, Y = Z / 3 (mod n), and when the upper first bit or the upper second bit of Z is “1”, Y = −Z (mod n). The original plaintext M is obtained by extracting the bits.

6. In the asymmetric key cryptosystem described in Means 2, the bit length i shorter than the binary bit length k of the product n = p × q of the prime number by 6 bits or more, that is, a length such that i ≦ k−6 is satisfied. When a message M of i is given as input data, a bit string S composed of ki bits whose fifth and sixth bits are “1” and the remaining bits are “0” is represented by M Y is the data obtained by connecting to the upper bit side of Using the Jacobian function, when Jacob (Y, p) = 1 and Jacob (Y, q) = 1, Z = Y (mod n) Jacob (Y, p) = 1, Jacob (Y, q) = When −1, Z = 2 × Y (mod n) Jacob (Y, p) = − 1, when Jacob (Y, q) = 1, Z = 3 × Y (mod n) Jacob (Y, p) = −1, Jacob (Y, q) = − 1, Z = 1 × Y (mod n), and the square root of Z modulo the prime product n, that is, Is calculated, and C of the calculation result is set as a ciphertext.

7. In the asymmetric key cryptosystem described in the means 3, when the ciphertext C is given as input data, the prime numbers p and q
Using the product n = p × q as the decryption key, Z = C × C (mod
n), the upper first to fifth bits of Z are '00001', Y = Z (mod n), and the upper first to fourth bits of Z are '0001', Y = Z / 2 (mod n), when the upper first to third bits of Z are '001', Y = Z / 3 (mod n), the upper first or second bit of Z is: In the case of “1”, Y = −Z (mod n), and the plaintext M from which the lower i bits of Y are extracted
Get.

8. In a method of encrypting and converting a computer message, p = 7 or 15 (mod 24), q = 11 (mod 24)
When a message M having a bit length i which does not exceed the binary bit length k of the product of prime numbers n = p × q is given as input data, using two prime numbers p and q satisfying Using the Jacobi function, two different variables f and g are applied to M, and Z = f (M), Z ′ = g (M), and Jacob (Z, p) = 1 Jacob (Z ′, p) = 1 Jacob (Z ′, q) = 1, and Z and Z ′ modulo the product n of the variables
The square root of Is used, and C is used as a digital signature indicating the author's formal approval of the message M, and C ′ is used as a digital signature indicating the author's temporary approval of the message M.

9. Built-in any one of the means 1 to 7 asymmetric key cryptosystem,
In addition, by configuring a portable computer having a function of calculating a compressed encryption of a message M 'to be approved and a function of managing an encryption key or a decryption key, the digital signature of the user can be carried anywhere and securely confirmed anywhere. To do.

(Operation)

This solves the problem of the related art. That is, (1) A digital signature can be obtained by performing a single conversion Z = f (M) on an arbitrary message M (one shorter than n by 6 bits or more).

(2) Only the digital signature C needs to be transmitted, and there is no need to transmit the conventional additional information j *.

〔Example〕

FIG. 1 shows a first embodiment of the present invention. In FIG. 1, a 504-bit message M101 and a 256-bit prime p1
02, the prime number q103 is input to the processor 104, and then cryptographically converted by the processor 104 in the order of the instructions in the program 105. As a result, a 512-bit digital signature 106 is output. The digital signature 106 is transmitted to the communication
And received as a digital signature 108 as input to the processor 110. After reception, the product n (= p) of the 512-bit digital signature 108 and the 512-bit prime number
× q) 109 is input to the processor 110, and then decoded and converted by the processor 110 in the order of the instructions in the program 111, and the result is output as a 504-bit message M112.

FIG. 2 is a flowchart of a cryptographic conversion processing procedure executed by the processor 104 and the program 105 in FIG.

Block 201: 504 bit message M101 and secret key p10
2, q103 is input to the processor 104. Where p and q are p
= 7 or 15 (mod 24), q = 11 (mod 24) is a 256-bit prime number.

Block 202: The bit string '00001100' is connected to the upper bit side of the message M. The bit string of 512 bits obtained as a result is defined as Y.

Block 203: Calculate a = Jacob (Y, p) b = Jacob (Y, q) Here, the Jacobian function Jacob is calculated as the following recursive function.

Jacob (x, y) = when x is 1, when 1 x is an even number ^{(y 2 -1) / 8 Jacob} (x / 2, y) × (-1) when x is an odd number (y-1) (X−1) / 4 Jacob (y (mod x), x) × (−1) Block 204: If a = 1 and b = 1, Z = Y (mod n).

Block 205: If a = 1 and B = -1, Z = 2Y (mod n).

Block 206: If a = -1, b = 1, Z = 3Y (mod n).

Block 207: If a = -1, b = -1, Z = -Y (mod n)
And

Block 208: Is calculated.

Where Z is the quadratic residue for (mod p) and (mod q).

here, To calculate After calculating h = q ^{((q−3) / 4) +1} (mod q) r = q ⁻¹ (mod p), Is calculated.

Is output as a digital signature.

FIG. 3 is a flowchart of a decoding conversion processing procedure executed by the processor 110 and the program 111 in FIG.

Block 301: Input digital signature C (512 bits) 108 and public key n109.

Block 302: Calculate Z = C × C (mod n).

Block 303: If the upper 5 bits of Z are '00001', Y =
Z.

Block 304: If the upper 4 bits of Z are '0001', Y = Z /
Assume 2.

Block 305: If the upper third bit or the upper second bit of Z is '001', Y = Z / 3.

Block 306: If the upper first bit or the upper second bit of Z is “1”, Y = −Z.

Block 307: Set M = Y as the lower 504 bits and output M.

Modification of First Embodiment In block 202 in FIG. 2, a bit string '00001100' is added to the upper bit side of the message M.
But instead of (a) '00000110' (b) '00000011' (c) Z = Y (mod n) or Z = 2Y (mod n), Z = 3Y
If any product calculation of (mod n) and Z = −Y (mod n) is performed, the calculation result Z is examined to obtain the above 1, 2, 3, and (−1) times. Any variable may be used as long as it can determine which product calculation has been performed, that is, Y = f (M).

FIG. 4 shows a second embodiment of the present invention, in which the sender A
1 shows a system in which a 'official digital signature' is exchanged between a receiver B (hereinafter simply referred to as A) and a receiver B (hereinafter simply referred to as B). A has a portable computer 304 and B has a portable computer 315. The portable computer 304 includes a processor 305, a memory 306, and a program 309. The program 309 further includes sub-modules such as an asymmetric key encryption algorithm 310, a compression encryption algorithm 311, and a key management function 312.
Is stored in the memory 306, and the secret key of _A (p _A , q _A ) is stored in the memory 306.
A public key n _B 308 of 307 and B is incorporated.

The portable computer 315 has a processor 319 and memory
316, a program 320 is built-in, and the program 320 further includes sub-modules such as an asymmetric key encryption algorithm 321 and a compression encryption algorithm 322,
Is stored in the memory 316. The secret key (p _B , q _B ) 317 of the receiver _B 326 and the public key n _A 318 of _A are stored in the memory 316.

The portable computer 304 is configured to receive a message M'301 having an arbitrary bit length as input data, and output the unofficial digital signature 30 of B as output data.
The digital signature 303 of the method 2 and B is output. The portable computer 315 has a message M'324 of an arbitrary bit length and a formal digital signature 325 of A.
Is output. The portable computer 304 and the portable computer 315 are connected via a communication path 314 using terminals 326 and 327 different from the input data and output data terminals.

Here, an informal digital signature of a formal digital signature is defined as follows.

Formal Digital Signature: A digital signature that indicates that a message has been formally approved.

Informal digital signature: A and B between A and B for a message
Exchange digital signatures on one side, for example, A, on the other hand, for example,
A digital signature that indicates that you promise to send to. Unofficial digital signatures are not used as official digital signatures.

A portable computer 345 is resident at the arbitration organization 331. The portable computer 345 has a processor 339,
The program 340 includes a program 340, a memory 341 and a signature invalidation file 334. The program 340 includes an asymmetric key encryption algorithm 341, a compression encryption algorithm 342, and a key management function 343.
Is stored in the memory 341 and the public key n _A 342, B of _A is stored in the memory 341.
Public key n _B 343 of have been built.

The portable computer 345 has a compressed cipher M331, a case 332 of A, a sentence 333 of B, and an informal digital signature of B
C _B '334, A's formal digital signature C _A 335, B's formal digital signature C _B 336, A's unofficial digital signature
C _A '337 is input, and the judgment 338 is output.

The arbitration organization 331 operates when any of the following troubles occurs between A and B during the exchange of the “official digital signature” in FIG.

(1) B argues in advance that the message M 'has been approved for the message M', but A argues that it has not. (2) A: On the other hand, if B argues that they have agreed to each other, but B argues that they have not, (3) Although both A and B acknowledge that they have approved in advance through discussion, they will (4) If both A and B acknowledge that they did not approve by consultation in advance, but there is a disagreement regarding the transmission or reception of formal or informal digital signatures, If, the arbitration engine 331 'informal digital signature compression encryption M331, a side of the story 332, B side of the story 333, B of C _B' the message M 334 or authoritative digital a Name C _A 335, formal digital signature B C _B 336, non-authoritative digital signature A C _A '337
Is input and the judgment 338 is output.

FIG. 5 shows a schematic flowchart of the operation in FIG.

The portable computer 304 starts operating under the instruction of block 501: A.

Block 502: The portable computer 304 sends the message M'3
Enter 01.

Block 503: Channel 314 sends message M'301 from portable computer 304 to portable computer 315.

Block 504: The portable computer 315 sends the message M'3
Receive 27.

Block 505: The portable computer 315 creates _B 's unauthorized digital signature C _B '328 under B's command.

Block 506: Channel 314 is B's unauthorized digital signature C
It sends _B '328 from portable computer 315 to the portable computer 304.

Block 507: The portable computer 304 outputs B's informal digital signature C _B '302 if it can confirm that B's open digital signature C _B ' 328 is valid.

If it cannot be confirmed, the process is interrupted and the process proceeds to the process described below (block 707 in FIG. 7).

Block 508: The portable computer 304 creates A's formal digital signature C _A 329.

Block 509: Channel 314 is A's official digital signature C _A 3
29 to the portable computer 315.

Block 510: The portable computer 315 determines that A's formal digital signature C _A 329 is valid,
Output A's official digital signature C _A 325.

If not confirmed, the process is interrupted and the process proceeds to the process described below (block 907 in FIG. 9).

Block 511: The portable computer 315 creates B's formal digital signature C _B 330.

Block 512: Channel 314 is B's formal digital signature C
_B 330 from portable computer 315 to portable computer 3
Send to 04.

Block 513: the portable computer 304, formal digital signature Once you are able After that authoritative digital signature C _B 330 B-correct ensure that formal digital signature C _B 330 is correct B B C _B 303 Is output.

If not confirmed, the process is interrupted and the process proceeds to block 1007 (FIG. 10).

Block 514: End.

FIG. 6 shows a detailed flowchart of the operation of the block 505 in FIG.

Block 601: Operation starts.

Block 602: The secret key (p _B, q _B) messages M'327 and B of any bit length to enter 317.

Block 603: The message M'327 is compressed and encrypted, and the result is set to M.

M = h (M ') where, h (M' calculations) the block cipher E _K by the key K, the I ₁ as an initial value, Do i = 1 to u I i + 1 = E Mi (I _i ) Obtained as CONTINUE M = I _{u + 1} . Here, M _i (i = 1, u) is u bit strings obtained by dividing the message M ′ 327 for each bit length L _K of the key K.

Block 604 to Block 606: The processing here is the second except for the following changes.
It is the same as the figure.

(1) Change to p → p _B and q → q _B (2) Block 202: Perform the following conversion.

Here, (a continuous sequence of 512-L _K -8 amino '0') B is added as the bit length of Y is 512 bits '0' consecutive bit strings.

(3) Block 209: Change from C to C _B '.

FIG. 7 shows a detailed flowchart of the operation of the block 507 in FIG.

Block 701: Operation starts.

Block 702: Input B's informal digital input C _B '328.

Block 703: Input message M'301 and public key nB 308 of _B.

Block 704: Compression-encrypt M ′ and set the result to Ma.

 Ma = h (M ') This process is the same as block 603 in FIG.

Block 705: Decrypt the unauthorized digital signature.

The processing here is the same as FIG. 3 except for the following changed parts.

(1) changes to the n → n _B.

(2) Change 303: If the upper 4 bits of Z are '0001', Y
Is Z.

(3) Change of 304: If the upper 4 bits of Z are '0010', Y
= Z / 2.

(4) Change of 305: If the upper 4 bits of Z are '0011', Y
= Z / 3.

(5) Modification of 306: The upper first bit or the upper second bit of Z is “1” and Z (1: 8) <n _B (1: 8) − '000010
If 00 ', then Y = -Z, where Z (1: 8) is the upper 8 bits of Z, and n _B (1: 8) is
shows the upper 8 bits of the n _B (2) when not in any case to (5) performs the processing in block 707.

(6) 307 Change: Mb = '(key length compression encryption block cipher) lower L _K bits of Y' to.

Block 706: If Ma = Mb, go to block 708.

Block 707: Interruption 1. Notify B that there is no match.

Block 708: end.

FIG. 8 shows a detailed flowchart of the operation of the block 508 in FIG.

Block 801: Operation starts.

Block 802: Message M'301 and A's secret key (p _A , q _A )
Enter 307.

Block 803: Compression-encrypt the message M'301 and set the result to M.

M ← h (M ′) Here, the method of calculating h (M ′) is shown in the block of FIG.
Same as 603.

Block 804 to Block 806: The processing here is the same as FIG. 2 except for the following changed parts.

(1) Change from p to p _A and q to q _A.

(2) Block 202: perform the following conversion.

Here, B is a bit string (512−L _K− 8) in which “0” s are added so that the bit length of Y is 512 bits.
'0's are consecutive columns).

(3) Block 209: changes to the C → C _A.

FIG. 9 shows a detailed flowchart of the operation of the block 510 in FIG.

Block 901: Operation starts.

Block 902: Enter A's formal digital signature C _A 329.

Block 903: Type the public key n _A 318 of the message M'327 and A.

Block 904: M ′ is compressed and encrypted, and the result is set to Ma.

 Ma ← h (M ′) This process is the same as block 603 in FIG.

Block 905: Decrypt formal digital signature.

The processing here is the same as in FIG. 3, except for the following changes.

(1) changes to the n → n _A.

(2) Change of 303: If the upper 6 bits of Z are '000001',
Let Y = Z.

(3) Change of 304: If the upper 6 bits of Z are '000010',
Let Y = Z / 2.

(4) Change of 305: If the upper 6 bits of Z are '000011',
Let Y = Z / 3.

(5) Modification of 306: The upper first bit or the upper second bit of Z is “1” and Z (1: 8) <n _Z (1: 8) − '0000100
If 0 ', Y = -Z. Here, Z (1: 8) is the upper 8 bits of Z, and n _A (1: 8) is the upper 8 bits of n _A.

If none of (2) to (5), block 907
What.

(6) 307 changes: the Mb = 'lower L _K bits of Y'.

Block 906: If Ma = Mb, go to block 708.

 If Ma ≠ Mb, go to block 707.

Block 907: Interrupt and ask the mediator for mediation.

Block 908: End.

FIG. 10 shows details of the operation of the block 511 in FIG.

Block 1001: Operation starts.

Block 1002: Message M'327 and the secret key of _B (p _B ,
q _B ) Enter 317.

Block 1003: The message M'327 is compressed and encrypted, and the result is set to Ma.

Ma ← h (M ') Here, the method of calculating h (M') is shown in the block of FIG.
Same as 603.

Block 1004 to Block 1006: The processing here is the same as FIG. 2 except for the following changed parts.

(1) p → p _B, change in q → q _B.

(2) Block 202: Make the following changes.

Here, B is the bit string bit length has been added so that the 512 '0' are consecutive in Y (contiguous sequence of -8 units 512-L _K '0').

(3) Block 209: changes to the C → C _B.

Block 1007: End FIG. 11 shows a detailed flowchart of the operation of block 513 in FIG.

Block 1101: Operation starts.

Block 1102: Enter B's formal digital signature C _B 330.

Block 1103: Input message M'301 and public key n _B 308 of _B.

Block 1104: M ′ is compressed and encrypted, and the result is set to Ma.

 Ma ← h (M ′) This process is the same as block 603 in FIG.

Block 1105: Decrypt formal digital signature.

The processing here is the same as in FIG. 3, except for the following changes.

(1) changes to the n → n _B.

(2) Change 303: If the upper 6 bits of Z are '000001', Y
= Z.

(3) Change of 304: Y if upper 6 bits of Z are '000010'
= Z / 2.

(4) Change of 305: Y if upper 6 bits of Z are '000011'
= Z / 3.

(5) Modification of 306: The upper first bit or the upper second bit of Z is “1”, and Z (1: 8) <n _A (1: 8) − ′ 0000
If it is 1000 ', Y = -Z.

Where Z (1: 8) is the upper 8 bits of Z and n _A (1: 8) is
is the upper 8 bits of the n _A.

If none of (2) to (5), block 1107
Is performed.

(6) 307 Change of: Mb ← 'to the lower L _K bits of the Y.

Block 1106: If Ma = Mb, the process to block 1108 is performed.

 If Ma ≠ Mb, the process of block 1107 is performed.

Block 1107: Interrupt and request the mediator to mediate.

Block 1108: End.

FIG. 12 shows the operation of the arbitration engine 331 in the block 907 in FIG. 9 and the block 1107 in FIG.

That is, the arbitrator assumes that the compressed cipher M for the message M 'is submitted to the arbitration institution and is an issue.

Assumption 2: The submitted informal or formal digital signature has been revoked in the past (it must be stored in the mediator's file as "revoked" and made available at any time). Absent.

The following operation is performed on the assumption that

(1) Listen to A and B.

Here, the terms A and B refer to the blocks in FIG.
In operations 502-504, the message M 'communicated
In contrast to (327 in FIG. 4), A or B is a statement on both sides regarding whether or not they have an intention to exchange a formal digital signature.

 Cases 1 to 4 in the vertical column of FIG.

(2) sent to A and B from B or A,
Instruct to submit an informal or formal digital signature for M.

 Four cases in the column next to Fig. 12.

(3) As a result of (1) and (2), the operation and determination as shown in FIG. 12 are performed.

First Modification of Second Embodiment In the second embodiment, the portable computer 315 is used. However, the portable computer may be replaced with a non-portable personal computer + workstation or a large-sized computer.

Modification 2 of Embodiment 2 In Steps 604 to 606 of Embodiment 2, But May be changed to

(Effect)

According to the present invention, the above-mentioned conventional problems are solved. That is, (1) 202 to 207 for an input message M of 504 bits
By the transformation M → Y → Z, Z becomes (mod p) and (mod
q) is always the quadratic residue. This has the effect of reducing the number of conversions to one, compared to the conventional method requiring an average of 2.5 conversions of M.

(2) For a 512-bit digital signature, after obtaining a transformation Z of 301-302, the original message is converted into new additional information on the transformation M → Y → Z by the transformation Z → Y → M of 303-307. Obtained without. This means that the upper 8 bits of the intermediate value Z in the process of converting from the digital signature C are M → Y → Z
This is because the information of the parameter used for performing the conversion is included. As a result, while the information J * concerning the conversion of M has been conventionally required to be transmitted in addition to the digital signature C, according to the present invention, only the digital signature C needs to be transmitted. There is an effect that the labor for management can be reduced.

(3) Further, for a message M 'having an arbitrary bit length,
By performing the compression encryption of 603, a digital signature can be performed. And the conversion shown in 604 to 606 And the conversion shown in 1004 to 1006 , Two different digital signatures C _B ′ and C _B are generated for the same message. further, A digital signature using the transformation of the above is an informal digital signature, but one that promises to return the official digital signature after receiving the other party's official digital signature, In the embodiment of FIG. 4, the digital signature using the conversion of (i) is given a role as a formal digital signature indicating that the message M 'has been formally approved.
The procedure for exchanging the 'official digital signature' shown in FIG. 5 can be realized. In other words, there is a 'official digital signature' between the two parties A and B in competitive or equal relations.
Is exchanged, on the other hand, fraudulent acts such as B not receiving B's 'official digital signature' after receiving the 'official digital signature' of the other party, eg A, are prevented. That is, if a trouble relating to the transmission and reception of the digital signature occurs between A and B, the arbitration organization intervenes, and (a) the exchange of the 'official digital signature' is performed again in the presence of the arbitration organization. .

(B) The law that has actually committed fraud is determined by the arbitration organization.

(C) Only unauthorized digital signatures are revoked.

The arbitration operation ends in one of the states.

[Brief description of the drawings]

FIG. 1 is a block diagram of an asymmetric key encryption system showing a first embodiment of the present invention, FIG. 2 is a flowchart showing an operation of a transmitting computer in FIG. 1, and FIG. FIG. 4 is a flowchart showing the operation of the computer on the receiving side in FIG. 4. FIG. 4 is a block diagram of an asymmetric key cryptosystem showing a second embodiment of the present invention. FIG. FIGS. 6 to 11 are detailed flowcharts of partial blocks in FIG. 5, and FIGS.
FIG. 5 is a diagram showing a corresponding operation of the arbitration engine in FIG. 4. .

 ──────────────────────────────────────────────────続 き Continuation of the front page (72) Inventor Yasuhiro Ishii 1 Horiyamashita, Hadano City, Kanagawa Prefecture Hitachi, Ltd. Kanagawa Prefecture Factory (56) References JP-A-62-254543 (JP, A) Kazuo Takagi, Ryoichi Sasaki, "Improvement of the Rabin-type public key cryptographic algorithm for electronic authentication" Transactions of the Institute of Electronics, Information and Communication Engineers, DI, Vol. J73-DI, No. 3, (1990) p. 350-357 S.R. Goldwasser, S.M. Mi cali, A .; Yao, "Strong Signature Schemes," ACM Symposium of Theory of Computing, (1983), P. 431-439

Claims (3)

(57) [Claims] A first processor for converting a message M into a ciphertext; a communication path for transmitting the ciphertext; and a second processor for decrypting and converting the ciphertext transmitted via the communication path. Wherein the first processor comprises: p = 7 or a prime number of 15 (mod 24), q = 11 (mod 24)
And the bit string L is Is the product of Z = Y, 2Y, 3Y, −Y
As a result, if it is determined that the bit string can determine which product calculation has been performed, (1) a = Jacob (Y, p) and b = Jacob (Y, q) are calculated, and (2) a, b (I) If a = 1, b = 1, Z = Y. (Ii) If a = 1, b = -1, Z = 2Y. (Iii) a = -1 , b = 1, Z = 3Y; (iv) a = −1, b = −1, Z = −Y, Is an encrypted text for the message M. 2. The second processor comprises: (1) Z = C × C (mod
p × q), and (2) performing the inverse operation of the product calculation determined based on the value of Z on Z to obtain the Y, and (3) deleting the bit string L from the Y. 2. The asymmetric key cryptosystem according to claim 1, wherein the message M is obtained by the following. 3. The bit string L is a bit string '0000110.
2. The asymmetric key cryptosystem according to claim 1, wherein the key is any one of '0', '00000110', and '00000011'.